Occasional Contributor I

Which ports does onboarding mac osx require?

System information:

ArubaOS (MODEL: Aruba7210), Version
ClearPass Policy Manager on CP-HW-500 platform


problem description:

Currently have onboarding setup and working in my customers environment so long as I have an 'allow-all' assigned to the user role that the devices are getting onboarded from.


As soon as I take away this 'allow-all' I can still onboard from android and ios, but when it comes to onboardng a macbook (running maverick) I am unable to onboard. I am able to reach the onboarding landing page, and receive the configuration profile installer. When I run the profile installer it times out and fails the install.


The traffic for the client at the controller that is going to clearpass is all on https 443 and is all being allowed. This works fine for ios as I already mentioned. I cannot see any deny's for the client at the controller firewall so am perplexed as to what I am not allowing that is causing the fail on the macbook. Putting the 'allow-all' back on the role allows me to onboard again but obviously I don't want an allow all on this role.


Anybody know what I need to allow at the firewall to allow the user to onboard other than??:


user -> clearpass -> http -> allow

user -> clearpass -> https -> allow


Any help is much appreciated.

Guru Elite

Re: Which ports does onboarding mac osx require?

Try allowing TCP 1640 and TCP 5223. These are the ports used by Apple's SCEP and push notification services.



user    any     tcp 1640    permit

any      user   tcp 5223    permit

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Which ports does onboarding mac osx require?

Hi cappalli, thanks for your quick response.


I've tried opening the ports as you have recommended which hasn't solved my issue =[


I did do some more investigating though and found that the:

user   any  any  permit

is what is required to make it work. Still need to narrow this down to some specific ports/protocols though....

Re: Which ports does onboarding mac osx require?


You should only have to allow http and https, but make sure you use both the IP and FQDN.


In my firewall I have a destination alias defined for my VIP, Server 1 and Server 2 by IP and FQDN


screenshot_03 Dec. 18 23.11.gif


screenshot_04 Dec. 18 23.13.gif

Thank You,

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I

Re: Which ports does onboarding mac osx require?

Hi Tarnold thanks for the response.


http and https using the IP and FQDN had already been allowed through the firewall to the clearpass servers and vip.


It turns out that the macbook is trying to reach out to Apple's APNS, which in our environment requires it to go via a proxy and receive a proxy pac. So the solution was to allow access to the proxy to receive the proxy pac. Even though the macbook still couldn't get out to the APNS it was able to receive it's proxy pac and was happy there onward.


Firewall policy that was needed (in addition to http/https to clearpass):

proxy scrn.PNG

Hope this is able to help someone else out there! =]

Search Airheads
Showing results for 
Search instead for 
Did you mean: